Involvement of APTs
Recently, TA505 (aka Chimborazo) and MuddyWater (aka Mercury) groups were observed gaining direct access to the domain controller via Zerologon vulnerability.
TA505 had deployed a campaign using the ZeroLogon vulnerability with fake updates to connect to the threat actor’s C2 infrastructure and to gain increased privileges.
The threat actor, moreover, used legit tools, such as Windows Script Host (WScript.Exe), to execute scripts in various programming languages; the Mimikatz tool to exploit code for the ZeroLogon vulnerability; and Microsoft Build Engine (MSBuild.Exe) for building applications.
A few days ago, Microsoft had discovered that an Iranian state-sponsored hacker group, dubbed MuddyWater, was also exploiting the Zerologon vulnerability.
A trending subject around the globe
The attacks were first detected in September, after around one week of proof-of-concept being published.
In the first week of October, hackers exploited a WordPress flaw (CVE-2020-25213) in the WordPress WP-Manager plugin to leverage the Zerologon vulnerability and attack domain controllers.
According to DHS, the government election systems face threat from active Zerologon exploits. However, in mid-September, the ..
Support the originator by clicking the read the rest link below.